# Advances in Cryptology - CRYPTO 2003

@inproceedings{Boneh2003AdvancesIC, title={Advances in Cryptology - CRYPTO 2003}, author={Dan Boneh}, booktitle={Lecture Notes in Computer Science}, year={2003} }

The security of the RSA cryptosystem depends on the difficulty of factoring large integers. The best current factoring algorithm is the Number Field Sieve (NFS), and its most difficult part is the sieving step. In 1999 a large distributed computation involving hundreds of workstations working for many months managed to factor a 512-bit RSA key, but 1024-bit keys were believed to be safe for the next 15-20 years. In this paper we describe a new hardware implementation of the NFS sieving step…

## 751 Citations

CAIRN 2: An FPGA Implementation of the Sieving Step in the Number Field Sieve Method

- Mathematics, Computer ScienceCHES
- 2007

This paper reports implementational and experimental results of a dedicated sieving device "CAIRN 2" with Xilinx's FPGA which is designed to handle up to 768-bit integers and adapted a new implementational method (the pipelined sieving) for NFS sieving.

Diophantine and Lattice Cryptanalysis of the RSA Cryptosystem

- Mathematics, Computer ScienceArtificial Intelligence, Evolutionary Computing and Metaheuristics
- 2013

A survey of the mathematics of the RSA cryptosystem focussing on the cryptanalysis of RSA using a variety of diophantine methods and lattice-reduction based techniques is given.

Cryptanalysis of the Hidden Matrix Cryptosystem

- Mathematics, Computer ScienceLATINCRYPT
- 2010

An efficient cryptanalysis of the so-called HM cryptosystem, and one perturbed version of HM, is presented, and an upper bound on the maximum degree reached during the Grobner basis computation of HM systems is provided.

Inverting HFE Is Quasipolynomial

- Computer ScienceCRYPTO
- 2006

The complexity of the decryption attack which uses Grobner bases to recover the plaintext and the complexity of a related distinguisher is considered, which shows that the dec encryption attack has a quasipolynomial complexity, much smaller than the classical subexponential expressions encountered in factoring or discrete logarithm computations.

Improved Partial Key Exposure Attacks on RSA by Guessing a Few Bits of One of the Prime Factors

- Mathematics, Computer ScienceICISC
- 2008

This paper achieves significantly improved results by modifying the techniques presented by Ernst et.

Partial Key Exposure on RSA with Private Exponents Larger Than N

- Mathematics, Computer ScienceISPEC
- 2012

This paper studies this extended setting of RSA and quantifies the number of bits of d required to mount practical partial key exposure attacks, based on Coppersmith's heuristic methods and validated by practical experiments run through the SAGE computer-algebra system.

New Partial Key Exposure Attacks on CRT-RSA with Large Public Exponents

- Mathematics, Computer ScienceACNS
- 2014

This paper proposes some lattice-based attacks for this extended setting of known LSBs case and introduces two approaches that work up to \(e < N^{{3}\over{8}}\).

Simultaneous Hardcore Bits and Cryptography against Memory Attacks

- Mathematics, Computer ScienceTCC
- 2009

The public-key encryption scheme of Regev, and the identity-basedryption scheme of Gentry, Peikert and Vaikuntanathan are remarkably robust against memory attacks where the adversary can measure a large fraction of the bits of the secret-key, or more generally, can compute an arbitrary function of thesecret-key of bounded output length.

Total Break of the l-IC Signature Scheme

- Mathematics, Computer SciencePublic Key Cryptography
- 2008

Efficient forgery and full-key recovery attacks on the l-IC- signature scheme recently proposed at PKC 2007, a multivariate scheme based on a new internal quadratic primitive which is extremely fast since it requires one exponentiation in a finite field of medium size and the public key is shorter than in many multivariate signature schemes.

Partial Key Exposure: Generalized Framework to Attack RSA

- Mathematics, Computer ScienceINDOCRYPT
- 2011

This work proposes lattice based approaches to factorize the RSA modulus N=pq (for large primes p, q) when the number of unexposed blocks is n≥1 and analyzes the ISO/IEC 9796-2 standard signature scheme (based on CRT-RSA) with partially known messages.

## References

SHOWING 1-10 OF 27 REFERENCES

Improving Lattice Based Cryptosystems Using the Hermite Normal Form

- Computer ScienceCaLC
- 2001

The increased efficiency of the new cryptosystems allows the use of bigger values for the security parameter, making the functions secure against the best cryptanalytic attacks, while keeping the size of the key even below the smallest key size for which lattice cryptos system were ever conjectured to be hard to break.

Analysis and Improvements of NTRU Encryption Paddings

- Computer ScienceCRYPTO
- 2002

It turns out that the first NTRU padding scheme is not even semantically secure (INDCPA), but the second and third can be proven IND-CCA2-secure in the random oracle model, under however rather unusual assumptions.

REACT: Rapid Enhanced-Security Asymmetric Cryptosystem Transform

- Computer ScienceCT-RSA
- 2001

REACT is presented, a new conversion which applies to any weakly secure cryptosystem, in the random oracle model, which could become a new alternative to OAEP, and even reach security relative to factorization, while allowing symmetric integration.

Imperfect Decryption and an Attack on the NTRU Encryption Scheme

- Computer ScienceIACR Cryptol. ePrint Arch.
- 2003

A new type of encryption scheme is defined which encompasses both NTRU and an attack model for the attacks presented against it, and uses an oracle for determining if valid ciphertexts can be correctly deciphered, and recover the user’s secret key.

Cryptanalysis of the Public-Key Encryption Based on Braid Groups

- Mathematics, Computer ScienceEUROCRYPT
- 2003

This paper shows that the private-key can be recovered from the public-key for several parameters with significant probability in a reasonable time and gives a new requirement for secure parameters against the attack, which more or less conflicts with that against brute force attack.

Title: Estimated Breaking times for Ntru Lattices

- 1999

In this note we report on experiments with the lattices underlying the NTRU Public Key Cryptosystem. We present data for the time needed to nd a small vector and use this data to extrapolate expected…

Pseudorandomness from Braid Groups

- Computer ScienceCRYPTO
- 2001

Some cryptographic primitives under two related assumptions in braid groups are presented: which particular bit of the argument x is pseudorandom given f(x).

Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack

- Mathematics, Computer ScienceCRYPTO
- 1991

A formalization of chosen ciphertext attack is given in the model which is stronger than the "lunchtime attack" considered by Naor and Yung, and it is proved a non-interactive public-key cryptosystem based on non-Interactive zero-knowledge proof of knowledge to be secure against it.

Potential Weaknesses of the Commutator Key Agreement Protocol Based on Braid Groups

- Computer Science, MathematicsEUROCRYPT
- 2002

This article shows how to reduce finding the shared key of this KAP to the list-MSCPs in a permutation group and in a matrix group over a finite field and develops a mathematical algorithm for the MSCP in braid groups.

Public-key cryptosystems provably secure against chosen ciphertext attacks

- Mathematics, Computer ScienceSTOC '90
- 1990

We show how to construct a public-key cryptosystem (as originally defined by DiNe and Hellman) secure against chosen ciphertezt attacks, given a public-key cryptosystern secure against passive…